If you buy databases containing customers' personal information, you must comply with data protection requirements. These requirement are set out in:
- General Data Protection Regulation (GDPR)
- Data Protection Act (DPA)
- The Privacy and Electronic Communications Regulations (PECR)
Businesses generally may only use personal information from a bought-in database if the individuals consented to their information being passed on. You must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. They must have specially consented to receive a particular type of message from you. Generic third party consent is not enough and organisations must carry out rigorous checks before relying on such consent.
Neither the DPA nor PECR ban the use of marketing lists, but organisations must take steps to ensure a list is compiled fairly and accurately reflects peoples’ wishes. The Information Commissioner’s Office provides guidance on using marketing lists.
Sell the database of a defunct business
A business that is insolvent, bankrupt, being closed down or sold may sell its customer database without consent under the following circumstances:
- the seller must make sure that the buyer understands they can only use the information for the purposes for which it was originally collected
- any use of the information should be within the reasonable expectations of the individuals concerned
- consent is sought if the information is to be used for a different purpose
- the individuals are informed about the new owner and given their contact details